CVE-2025-71398 in SurrealDBinfo

Summary

by MITRE • 07/18/2026

SurrealDB before 2.2.2 fails to validate HTTP redirects in http functions, allowing authenticated users to bypass deny-net restrictions by redirecting to blocked IP addresses. Attackers can host a public server that redirects to denied network targets, enabling server-side request forgery to access internal endpoints and retrieve sensitive information.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/18/2026

This vulnerability exists in SurrealDB versions prior to 2.2.2 where the HTTP function implementation lacks proper validation of HTTP redirects. The flaw allows authenticated users to exploit a server-side request forgery (SSRF) vector by crafting HTTP requests that redirect to IP addresses which would normally be blocked by network restrictions. When the system processes these redirected requests, it fails to validate whether the final destination falls within the allowed network boundaries, thereby permitting access to internal endpoints that should remain protected from external exposure.

The technical implementation defect stems from insufficient input validation within the HTTP function handling mechanism. Specifically, the system does not perform proper sanitization or verification of redirect locations before proceeding with the actual HTTP request execution. This represents a classic security misconfiguration where network access controls are bypassed through improper redirect handling. The vulnerability enables attackers to circumvent deny-net restrictions that are typically enforced to prevent unauthorized access to internal network resources, essentially creating a tunnel through which malicious requests can traverse protected boundaries.

From an operational impact perspective, this vulnerability exposes organizations to significant risks including unauthorized access to internal databases, file systems, and services that reside behind network firewalls. Attackers can leverage this flaw to enumerate internal network topology, discover sensitive endpoints, and potentially exfiltrate confidential data from systems that should only be accessible within the internal network environment. The authenticated nature of the exploit means that even if external access is restricted, legitimate users with appropriate credentials can be used to launch these attacks, making the vector particularly dangerous in environments where credential management is not tightly controlled.

The vulnerability aligns with CWE-611 (Improper Restriction of XML External Entity Reference) and CWE-918 (Server-Side Request Forgery) classifications, representing a combination of improper access control and insecure request handling. It also maps to ATT&CK technique T1071.004 (Application Layer Protocol: DNS) and T1190 (Exploit Public-Facing Application) as attackers can use this vulnerability to extend their reach beyond the initial attack surface. Organizations should implement immediate mitigations including upgrading to SurrealDB 2.2.2 or later, implementing strict redirect validation policies, and configuring network monitoring to detect suspicious redirect patterns. Additionally, organizations should review their HTTP function usage and ensure proper input sanitization is implemented at all levels of request processing to prevent similar vulnerabilities from manifesting in other components of their infrastructure.

Responsible

VulnCheck

Reservation

07/18/2026

Disclosure

07/18/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

medium

Sources

Interested in the pricing of exploits?

See the underground prices here!